Skip to content

Does GSA SER leave me vulnerable to email hacks?

Since I started using GSA SER I have had a number of letters from my hosting company like this:

It has come to our attention that messages sent from an account under your control are being reported back as spam. Upon further investigation it was determined that an email account under your control has been exploited. It appears that your email password has been compromised which allowed these messages to be sent. We have updated your password(s) in order to prevent this from recurring. Please scan the PC that uses this email address with an updated AV and Malware scanner to ensure that the infection is removed. Please provide us with the details of how your PC is scanned and secured. Please let us know if you have any questions or if we can be of any further assistance to you.

Affected Email Account: geeser@domain.com.au
New Email Password: xxxxxxxxx
New cPanel Password: xxxxxxxxx

Mail Log Parsed from Jul 21, 2014 23:30:33 to Jul 22, 2014 23:30:33

User sent approximately 306,767 messages to 290,617 unique recipients.
There were 99736 bounces on 240210 unique addresses, 32 percent of the emails sent.

It has only been on websites where I'm using as POP3 address for GSA SER. No others.

My computer has been scanned by Malwarebytes Pro, SpyBot and NOD 32, no infections

Can anyone offer me advice?

Thanks, John

Comments

  • maybe someone brute forced the password. It's happened to me before
  • So just increase it to say 33 characters? eg L5ml7RJPvs85B#A9vP8U^hp!2V#eiF94#

    Is there any way to get them barred after say 5 attempts?

    Like you can get Limit Login Attempts plugin for Wordpress


  • Do you have WHM or just cpanel?





  • are you using the Email's from this domain in your GSA campaign? If so then the sites must have reported the email for spamming. This is why we go with yahoo or mail.ru
  • Dude - WHM and cpanel - Hostgator reseller package
    Vij - the email has been hacked. See it sent 300,000 emails? That's not GSA SER.

  • @johnwey oh sorry I din't see the sent mails part..
  • I don't know much about hostgator or what their packages offer. I left them about 3 years ago forever. I also forgot to ask if you had SSH, but I guess if you have WHM then you do.

    In WHM you can use CPhulk which will ban an IP after x amount of failed login attempts (I chose 1 failed login attempt)

    You can also use CSF firewall, which is a very handy thing. You will need to install that via SSH, then configure it. That's all pretty straight forward.

    The last option I can think of in WHM is using host access control. You can really only use this if you are the only person that is supposed to access your server, or email. You basically whitelist your IP on the services you specify, then black list everyone else


  • Dude . . .

    Now THAT'S the type of info I was looking for! Thanks for your help

    The only thing lft to ask is probably from Sven himself

    I've been hosting hundreds of sites over 5 HG servers since 2004

    Never has any email address been hacked like this

    And it's only email accounts being used by GSA SER

    Is there any possible link?

    But anyhow, you have helped me mightily, heartfelt thanks!
  • edited July 2014
    I don't know. There could be honey pot sites out there looking for people who post with emails they can brute force to send spam with. I get brute force attempts on emails all day long that have nothing to do with SER though.
  • Brute force attacks have also become so common on WP sites . . . gonna have to beef up security at my end, for sure

    Thanks again for your help, Dude

    Good luck!
  • My host suspended my account because this happened twice to me. And I used generated passwords.
  • edited July 2014
    @delysid your host (or you if you had root access) should have been using stronger security settings to make it really hard to bruteforce a 32 character password. It's important to have your CPhulk or even better CSF firewall settings correctly configured to stop bruteforce attacks. Because unless this "hacker" has $2k to spend a day on shared proxies if his IP's are getting banned rapidly from trying to login, its going to be supremely difficult to bruteforce.

    Like I said, I use host access control. No IP can login to any cpanel account, or email unless it is my IP. Only way around that is to know my IP and spoof the IP using Linux (and that might not even work I have never tried).
Sign In or Register to comment.